208

On April 3rd, we received a Cease and Desist letter from HashiCorp regarding our implementation of the "removed" block in OpenTofu, claiming copyright infringement on the part of one of our core developers. We were also made aware of an article posted that same day with the same accusations. We have investigated these claims and are publishing the C&D letter, our response and the source code origin document resulting from our investigation.

The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp’s BSL code. All such statements have zero basis in facts.

HashiCorp has made claims of copyright infringement in a cease & desist letter. These claims are completely unsubstantiated.

The code in question can be clearly shown to have been copied from older code under the MPL-2.0 license. HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments which indicate this.

Documents

To prevent further harassment of individual people, we have redacted any personal information from these documents.

Conclusion

Despite these events, we have managed to carry out significant development on OpenTofu 1.7, including state encryption, “for_each” implementation for “import” blocks, as well as the all-new provider-defined functions supported by the recently released provider plugin protocol.

On that note, we will be releasing a new pre-release version next week, and we are eager to gather feedback from the community.

— The OpenTofu Team


The image in this blog post contains code licensed under the BUSL-1.1 by HashiCorp. However, for the purposes of this post we are making non-commercial, transformative fair use under 17 U.S. Code § 107. You can read more about fair use on the website of the US Copyright Office.

top 22 comments
sorted by: hot top controversial new old
[-] Saganaki@lemmy.one 110 points 8 months ago

This is unrelated to this topic exactly, but I don’t know what OpenTofu is nor what it is for, so I looked at the FAQ.

What is OpenTofu?

OpenTofu is a Terraform fork, created as an initiative of Gruntwork, Spacelift, Harness, Env0, Scalr, and others, in response to HashiCorp’s switch from an open-source license to the BUSL. The initiative has many supporters, all of whom are listed here.

This is practically a meme…I have no idea what all of these are (coming from my area of expertise).

[-] hydroptic@sopuli.xyz 54 points 8 months ago* (last edited 8 months ago)

I've run into this problem with many open source projects. It's sometimes really hard to find out what the hell something actually does based on just the project's own pages. It took a while for eg. join-lemmy.org to actually describe what Lemmy is, for example, instead of just going on about it being open source and secure and federated and blah.

[-] deweydecibel@lemmy.world 17 points 8 months ago* (last edited 8 months ago)

That's just a classic issue with most tech people: they either forget or don't know how to adjust their speech for a different audience than themselves. Often they don't even comprehend just how much "common knowledge" isn't actually common outside their social spaces.

Then there's some that are deliberately refusing to help uninformed people understand, or are even outright hostile to them.

[-] SorteKanin@feddit.dk 4 points 8 months ago

Often they don’t even comprehend just how much “common knowledge” isn’t actually common outside their social spaces.

I see this literally all the time in the documentation that my coworkers write. I think it's kinda wild. Like do people really not have this self awareness? Or am I just as bad without realizing it? That's what scares me.

[-] hydroptic@sopuli.xyz 3 points 8 months ago

Yeah I really don't know where hostility against newbies (actual or perceived) comes from in nerd circles. It's been like this for as long as I can remember, and I've been eg. using Linux from the late 90's and fucking around on the Internet for over 30 years now. At least things are way better than they used to be, but it's still sometimes a bit of a bumpy ride

[-] Aatube@kbin.melroy.org 28 points 8 months ago

Terraform is an infrastructure-as-code software tool created by HashiCorp. Users define and provide data center infrastructure using a declarative configuration language known as HashiCorp Configuration Language (HCL), or optionally JSON.[3] —Wikipedia

[-] Saganaki@lemmy.one 6 points 8 months ago

It makes more sense when I dug into it more deeply, but still—gave me a chuckle.

[-] xantoxis@lemmy.world 15 points 8 months ago* (last edited 8 months ago)

Terraform and OpenTofu are great tools for building virtual infrastructure, e.g. using AWS API calls to spin up AWS virtual machines and provision them with networks and security relationships and stuff like that--in an automated, repeatable way. They are generalized tools for deploying and modifying infrastructure, even if it's not in the cloud (there are many tools in these frameworks that apply to self-hosted setups).

The rest of the words after "Terraform fork" are just the names of companies that decided to help OpenTofu, and are not especially helpful in understanding what it is or what it's used for.

[-] AnUnusualRelic@lemmy.world 3 points 8 months ago

I thought they were random names created for the funni.

[-] Miaou@jlai.lu 1 points 8 months ago

I see we went exactly through the same process

[-] JakenVeina@lemm.ee 1 points 8 months ago

I had the exact same question, did the exact same thing, and had the exact same response. EVERYONE does this, it's infuriating. If you're going to have a public-facing info page about your project or product, you need to assume that people know NOTHING about it.

[-] Deebster@programming.dev 73 points 8 months ago

Pretty shitty attempt on Hashicorp's part. Come to think of it, are Hashicorp themselves in the legal clear for grabbing code from an incompatible licence?

[-] dariusj18@lemmy.world 24 points 8 months ago

Well, I'm sure they are worried about their new deal with IBM that they've obviously been working on for a while.

[-] deweydecibel@lemmy.world 22 points 8 months ago

Yep, the timing lines up. As part of the buyout offer, they probably had to demonstrate an effort to cripple the open source fork of the thing IBM wants to buy.

[-] lanolinoil@lemmy.world 9 points 8 months ago

We're in the age of corporate corruption and they're public -- Probably would get sued by investors for not ruthlessly hamstringing all stakeholders in the space. Fuck this place.

[-] kevincox@lemmy.ml 5 points 8 months ago

I don't think OpenTofu is accusing them of taking any code from an incompatible license. Just saying that both parties did the same thing.

IIUC all past Terraform code was copyright assigned via a CLA. This is what allowed them to re-license in the first place. So even if the previous code was offered under an incompatible license they own the copyright so it doesn't matter.

[-] Deebster@programming.dev 4 points 8 months ago

I'm not saying OpenTofu is doing any accusing, but I am. I was thinking an original author had the sole right to relicense code but I guess they found some legally plausible way to get it done. I wonder if the author was an OpenTofu employee.

[-] kevincox@lemmy.ml 3 points 8 months ago

See https://en.wikipedia.org/wiki/Contributor_License_Agreement#Relicensing_controversy for a basic overview.

Lots of projects will have a CLA that basically says "You assign copyright of your work to us" or some sort of unlimited rights grant to the project. So depending on the exact CLA the author may completely transfer ownership of the patch to the project, maintain ownership but grant the project a licence to do basically anything with it (including re-licencing) or for less strong CLAs just confirm that you license the code under the project license.

[-] Deebster@programming.dev 1 points 8 months ago

Thanks for the link, I forgot about CLAs. Interesting - this kind of thing seems to be controversial but common.

[-] kevincox@lemmy.ml 4 points 8 months ago* (last edited 8 months ago)

They are a powerful tool. They are controversial because they can be used for good and evil. For example even some FSF projects require copyright requirement: https://www.gnu.org/licenses/why-assign.en.html. (It used to be all projects, but many have them have switched to DCO, example glibc)

But of course it also means that an organization can take code in a GPL project and start disturbing closed-source versions.

[-] originalucifer@moist.catsweat.com 22 points 8 months ago

detailed SCO analysis

groklaw ptsd flashback

[-] DirigibleProtein@aussie.zone 13 points 8 months ago

I saw that too and thought “here we go again”, but in this case it seems SCO stands for Source Code Origin.

this post was submitted on 25 Apr 2024
208 points (100.0% liked)

Programming

17680 readers
124 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 2 years ago
MODERATORS